archive-gh-me/gopass
1
0
Fork 0
mirror of https://github.com/gopasspw/gopass.git synced 2025-12-08 19:24:54 +00:00
Code Issues Projects Releases Wiki Activity
gopass/docs/commands/show.md
Fabio Alessandro Locati 2ff5f124ec
Ensure that otpauths are properly hidden from being displayed in safecontent mode (#3055) 
* Ensure that otpauths are properly hidden from being displayed in safecontent mode. Fixes #3051

Signed-off-by: Fabio Alessandro Locati <me@fale.io>

* More complete implementation

Signed-off-by: Fabio Alessandro Locati <me@fale.io>

---------

Signed-off-by: Fabio Alessandro Locati <me@fale.io>
2025-02-26 08:48:18 +01:00

6.6 KiB
Raw Permalink Blame History

show command

The show command is the most important and most frequently used command. It allows displaying and copying the content of the secrets managed by gopass.

Synopsis

$ gopass show entry
$ gopass show entry key
$ gopass show entry --qr
$ gopass show entry --password

Modes of operation

  • Show the whole entry: gopass show entry
  • Show a specific key of the given entry: gopass show entry key (only works for key-value or YAML secrets)

Flags

Flag Aliases Description
--clip -c Copy the password value into the clipboard and don't show the content.
--alsoclip -C Copy the password value into the clipboard and show the content.
--qr Encode the password field as a QR code and print it. Note: When combining with -c/-C the unencoded password is copied. Not the QR code.
--unsafe -u Display unsafe content (e.g. the password) even when the safecontent option is set. No-op when safecontent is false.
--password -o Display only the password. For use in scripts. Takes precedence over other flags.
--revision -r Display a specific revision of the entry. Use an exact version identifier from gopass history or the special -<N> syntax. Does not work with native (e.g. git) refs.
--noparsing -n Do not parse the content, disable YAML and Key-Value functions.
--chars Display selected characters from the password.

Details

This section describes the expected behaviour of the show command with respect to different combinations of flags and config options.

Note: This section describes the expected behaviour, not necessarily the observed behaviour. If you notice any discrepancies please file a bug and we will try to fix it.

TODO: We need to specify the expectations around new lines.

  • When no flag is set the show command will display the full content of the secret and will parse it to support key-value lookup and YAML entries. If the safecontent option is set to true any secret fields (current default is only password) are replaced with a random number of '*' characters (length: 5-10). Using the --unsafe flag will reveal these fields even if safecontent is enabled. --password takes precedence of safecontent=true as well and displays only the password.
  • The --noparsing flag will disable all parsing of the output, this can help debugging YAML secrets for example, where key: 0123 actually parses into octal for 83.
  • The --clip flag will copy the value of the Password field to the clipboard and doesn't display any part of the secret.
  • The --alsoclip option will copy the value of the Password field but also display the secret content depending on the safecontent setting, i.e. obstructing the Password field if safecontent is true or just displaying it if not.
  • The --qr flags operates complementary to other flags. It will additionally format the value of the Password entry as a QR code and display it. Other than that it will honor the other options, e.g. gopass show --qr will display the QR code and the whole secret content below. One special case is the -o flag, this flag doesn't make a lot of sense in combination, so if both --qr and -o are given only the QR code will be displayed.
  • Since gopass plans to supports different RCS backends we do not support arbitrary git refs as arguments to the --revision flag. Using those might work, but this is explicitly not supported and bug reports will be closed as wont-fix. There are two issues with using arbitrary git refs is that (a) this doesn't work with non-git RCS backends and (b) git versions a whole repository, not single files. So the revision HEAD^ might not have any changes for a given entry. Thus we only support specifc revisions obtained from gopass history or our custom syntax -N where N is an integer identifying a specific commit before HEAD (cf. HEAD~N).

Parsing and secrets

Secrets are stored on disk as provided, but are parsed upon display to provide extra features such as the ability to show the value of a key using: gopass show entry key.

The secrets are split into 3 categories:

  • the plain type, which is just a plain secret without key-value capabilities

    this is a plain secret
using multiple lines

and that's it

    gets parsed to the same value

  • the key-value type, which allows to query the value of a specific key. This does not preserve ordering.

    this is a KV secret
where: the first line is the password
and: the keys are separated from their value by :

and maybe we have a body text
below it

    will be parsed into (with safecontent enabled):

     and: the keys are separated from their value by :
 where: the first line is the password


 and maybe we have a body text
 below it

  • the YAML type which implements YAML support, which means that secrets are parsed as per YAML standard.

    s3cret
---
invoice: 0123
date   : 2001-01-23
bill-to: &id001
    given  : Bob
    family : Doe
ship-to: *id001

    will be parsed into (with safecontent enabled):

     bill-to: map[family:Doe given:Bob]
 date: 2001-01-23 00:00:00 +0000 UTC
 invoice: 83
 ship-to: map[family:Doe given:Bob]

    Note how the 0123 is interpreted as octal for 83. If you want to store a string made of digits such as a numerical username, it should be enclosed in string delimiters: username: "0123" will always be parsed as the string 0123 and not as octal.

By default, safecontent will remove the first line (the password), every line starting with otpauth:// in the body, and every YAML values where the key is one of the following: hotp, otpauth, password, totp.

Both the key-value and the YAML format support so-called "unsafe-keys", which is a key-value that allows you to specify keys that should be hidden when using gopass show with gopass config safecontent set to true. E.g:

supersecret
---
age: 27
secret: The rabbit outran the tortoise
name: John Smith
unsafe-keys: age,secret

will display (with safecontent enabled):

age: *****
name: John Smith
secret: *****
unsafe-keys: age,secret

unless it is called with gopass show -n that would disable parsing of the body, but still hide the password, or gopass show -f that would show everything that was hidden, including the password.

You can read more about secrets formats in its documentation.

Notice that if the option parsing is disabled in the config, then all secrets are handled as plain secrets.